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1.0 (U) Analysis Summary 


(S//NF) The following report discusses activities by a group of hackers known as the Butterfly 
attackers. These attackers used a zero day exploit that targeted CVE-2013-0422 titled Oracle 
Java Runtime Environment Multiple Remote Code Execution Vulnerabilities. This vulnerability 
was patched on January 31‘, 2013. The attackers also used a Windows and Mac backdoor named 
OSX.Pintsized and Backdoor.Jiripbot as the payloads. 


(S//NF) The attackers used a watering-hole attack to compromise a mobile phone developer 
website to deliver the Java exploit. In one case a fully up to date version of Internet Explorer 10 
was exploiting indicating that a zero-day for this browser may have been used. No further 
information on this exploit was provided. 


(S//NF) In some cases the attackers spread using a Citrix profile management application to 
create a back door on the infected system. In another instance the attackers used Team Viewer to 
create copies of the backdoor. 


(S//NF) Various tools used by the hackers were discussed in this report and include: 


e OSX.Pintsized: A well-documented modification of OpenSSH 

e Backdoor.Jiripbot: Primary back door tool with fallback domain generation algorithm 

e Hackertool.Bannerjack: used to receive default messages issued by Telnet, HTTP, and 
general TCP servers 

e Hackertool.Multipurpose: Assists in spreading across network and cleaning up log files 

e Hackertool.Eventlog: Event log parser 

e Hacktool.Proxy.A: Creates a Proxy connection to route traffic through intermediary node 


(S//NF) In conclusion, this report details attacks using a since patched vulnerability and other 
well-known tools. As such no PoC is recommended. 


2.0 (U) Description of the Technique 

(S//NF) No techniques are recommended for PoC development. 

3.0 (U) Identification of Affected Applications 
(U) Windows 

4.0 (U) Related Techniques 

(S//NF) Backdoor 

5.0 (U) Configurable Parameters 


(U) None 
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6.0 (U) Exploitation Method and Vectors 


(S//NF) These attacks exploited the known and patched vulnerability, CVE-2013-042 and 
possibly and unspecified zero day vulnerability in Internet Explorer 10. 


7.0 (U) Caveats 

(U) None. 

8.0 (U) Risks 

(S//NF) Not applicable because we do not recommend any techniques for PoC development. 
9.0 (U) Recommendations 


(S//NF) No PoCs recommended. 
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